The Payment Card Industry Security Standards Council (PCI SSC), a coalition of credit card issuers including American Express, Mastercard and Visa, has released new information that should act as a warning to any business that accepts credit cards in the EU. By 2018, the new European Union General Data Protection Regulation (GDPR) will go into effect, bringing with it very hefty financial consequences for companies that fail to to comply.
By the PCI SSC’s estimation, in the first year of the new GDPR, we could expect to see fines of up to £122 billion levied against UK firms in 2018 alone. That’s a huge jump from regulatory fines today, which hit £1.4 billion total in the UK in 2015.
One of the reasons for this increase is down to the GDPR removing the cap on fines against organizations – currently set at £500,000 – and replacing it with fines of up to €20 million or 4% of global annual net sales (not profit).
The EU GDPR, officially adopted in April this year, brings with it a number of major updates and changes to data protection and consumer privacy policies. EU companies have two years to prepare for these changes, which include:
- A widened scope in defining what “personal information” is
- More robust and responsive reporting of data breaches by breached organizations
- A consumer’s “right to erasure” (similar to Google’s “right to be forgotten” case)
- Much heftier fines for data misuse or general non-compliance
In addition to government-levied standards like the new EU GDPR, PCI’s own standards are already a major area of compliance concern for many companies around the world, not without its own controversy.
Do these kinds of regulations actually help companies get their affairs in order and maintain good security practices, or do they simply set a “check the box” mentality for firms who don’t take their security seriously enough?
While companies do have two years to get ready for the new EU GDPR policies to become actively enforced, organizations like the PCI SSC are urging firms to start acting now to become compliant and avoid an inevitable last-minute scramble.
After all, come 2018, the potential financial consequences of non-compliance could be very painful indeed.
Mark
As a Local Government employee I’d say that ICT Security staff need measures and fines such as these to use as a big stick to wave at senior managers to actually get them to realise the importance of ICT Security.
Some senior managers play the numbers thinking that it’s not important because it’ll never happen to us but once you point out that they will be responsible for the fines for breaches then they soon perk up even if just to assign a junior officer to take responsibility :)